EXPLORE

EXPLORE DETECTIONS

🔍
308 detections found

Disable Strong Authentication (Microsoft Entra ID)

Detects when strong authentication methods (such as MFA) are disabled or weakened for a user account in Microsoft Entra ID. This action reduces account security and may indicate a legitimate administrative change or a potential attempt to bypass authentication controls and should be reviewed. Detects when strong authentication methods (such as MFA) are disabled or weakened for a user account in Microsoft Entra ID. This action reduces account security and may indicate a legitimate administrative change or a potential attempt to bypass authentication controls and should be reviewed.

T1556
CrowdStrike

Dll-Side Loading Detection Query

The query traces processes that write both DLL and EXE files to the same location while exhibiting masquerading behavior. Reference: [GitHub Aamir-Muhammad/CrowdStrike-Queries](https://github.com/Aamir-Muhammad/CrowdStrike-Queries/blob/main/Hunting-Queries/DLL-Side-Loading-Detection.md)

T1574.001
CrowdStrike

Dll-Side Loading Detection Query

The query traces processes that write both DLL and EXE files to the same location while exhibiting masquerading behavior. Reference: [GitHub Aamir-Muhammad/CrowdStrike-Queries](https://github.com/Aamir-Muhammad/CrowdStrike-Queries/blob/main/Hunting-Queries/DLL-Side-Loading-Detection.md)

T1574.001
CrowdStrike

DNS Resolutions from Browser Processes

This query correlates web browser process executions with their DNS queries to identify which domains were resolved by browser processes on specific endpoints

CrowdStrike

DNS Resolutions from Browser Processes

This query correlates web browser process executions with their DNS queries to identify which domains were resolved by browser processes on specific endpoints

CrowdStrike

DNS Staging Detection: ClickFix-Inspired nslookup Execution

Detects nslookup activity used for DNS-based staging, specifically targeting the pattern of querying external nameservers to retrieve and execute malicious payloads, as seen in recent ClickFix attacks. This hunt is highly valuable as it identifies a shift away from heavily-monitored tools like mshta and PowerShell toward abusing trusted network utilities to bypass standard firewalls and blend with legitimate DNS traffic. Targeting trusted binaries: Monitors nslookup.exe, which attackers now prefer because it is less likely to be blocked by security software than mshta or PowerShell. External DNS Queries: Specifically looks for nslookup commands that provide a direct IP address for an external nameserver, bypassing the system's default, monitored DNS resolver. Staging Pattern: Detects the use of findstr on the nslookup output, a known ClickFix technique to parse the "Name:" field from a DNS response and treat it as a secondary command for execution. Execution Chain: Monitors for the piping of this output directly into execution engines like PowerShell or IEX. Evasion Detection: DNS traffic is frequently allowed through corporate firewalls, making this a "lightweight staging channel" that effectively hides data exfiltration and payload delivery in plain sight. To test your query, run nslookup -q=txt google.com 1.1.1.1 in a command prompt. This triggers your detection by requesting a TXT record while bypassing local DNS to use an external IP. Wait a few minutes for the telemetry to ingest, then run your search to confirm the activity appears in your results.

T1071.004T1059.001T1204.002
CrowdStrike

DNS Staging Detection: ClickFix-Inspired nslookup Execution

Detects nslookup activity used for DNS-based staging, specifically targeting the pattern of querying external nameservers to retrieve and execute malicious payloads, as seen in recent ClickFix attacks. This hunt is highly valuable as it identifies a shift away from heavily-monitored tools like mshta and PowerShell toward abusing trusted network utilities to bypass standard firewalls and blend with legitimate DNS traffic. Targeting trusted binaries: Monitors nslookup.exe, which attackers now prefer because it is less likely to be blocked by security software than mshta or PowerShell. DNS Record Retrieval: Looks for nslookup commands that request TXT or ALL record types, which are commonly abused to stage content over DNS. Staging Pattern: Detects the use of findstr on the nslookup output, a known ClickFix-inspired technique to parse returned DNS content and prepare it for follow-on execution. Execution Chain: Monitors for nslookup output being piped through findstr and for /f and then into cmd, which is a strong indicator of DNS response data being transformed into executable input. Evasion Detection: DNS traffic is frequently allowed through corporate firewalls, making this a "lightweight staging channel" that effectively hides data exfiltration and payload delivery in plain sight. To test your query, run a command that matches the full pipeline pattern, for example: nslookup -q=txt google.com | findstr /i "Name" | for /f "tokens=*" %i in ('more') do cmd /c %i. Wait a few minutes for the telemetry to ingest, then run your search to confirm the activity appears in your results.

T1071.004T1059.001T1204.002
CrowdStrike

Domain Admin Enumeration

This query will detect Domain Admin Enumeration based on the Microsoft Defender for Identity Module This query will detect Domain Admin enumeration based on the Microsoft defender for Identity log sources.

T1069.002
CrowdStrike

Domain Controllers with high load

Domain controllers with either average CPU usage, average RAM usage that exceeds 80% or Available Disk space < 10GB. This indicates low capacity or unexpected excessive usage.

CrowdStrike

Domain Controllers with high load

Domain controllers with either average CPU usage, average RAM usage that exceeds 80% or Available Disk space < 10GB. This indicates low capacity or unexpected excessive usage.

CrowdStrike

Enriched Process Tree Association Events

The query filters for AssociateTreeIdWithRoot events, joins them with detection-pattern metadata from a CSV file, and outputs key fields like timestamp, host, pattern details and severity for analysis. In short, it enriches process-tree association events with contextual detection information. ## [AssociateTreeIdWithRoot](https://docs.crowdstrike.com/r/associatetreeidwithroot) This event is generated when there is a detection in the sensor. This event has a data field called PatternId that contains a pattern ID. Pattern IDs correspond to a detection. Reference[GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/AssociateTreeIdWithRoot%20to%20Pattern%20Details.md)

CrowdStrike

Enriched Process Tree Association Events

The query filters for AssociateTreeIdWithRoot events, joins them with detection-pattern metadata from a CSV file, and outputs key fields like timestamp, host, pattern details and severity for analysis. In short, it enriches process-tree association events with contextual detection information. ## [AssociateTreeIdWithRoot](https://docs.crowdstrike.com/r/associatetreeidwithroot) This event is generated when there is a detection in the sensor. This event has a data field called PatternId that contains a pattern ID. Pattern IDs correspond to a detection. Reference[GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/AssociateTreeIdWithRoot%20to%20Pattern%20Details.md)

CrowdStrike

Enumerate Windows Driver Loads

The query combines DriverLoad and Event_ModuleSummaryInfoEvent data to associate loaded driver hashes with their certificate details, simplifying file paths and aggregating filenames, subjects, and issuers for analysis of driver authenticity. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Enumerate%20Windows%20Driver%20Loads.md)

CrowdStrike

Enumerate Windows Driver Loads

The query combines DriverLoad and Event_ModuleSummaryInfoEvent data to associate loaded driver hashes with their certificate details, simplifying file paths and aggregating filenames, subjects, and issuers for analysis of driver authenticity. Reference: [GitHub CrowdStrike/logscale-community](https://github.com/CrowdStrike/logscale-community-content/blob/main/Queries-Only/Helpful-CQL-Queries/Enumerate%20Windows%20Driver%20Loads.md)

CrowdStrike

Evaluate Operating System Prevalence

This query counts how many Windows endpoints are running each OS version (like Windows 10, Windows 11, etc.) in your CrowdStrike environment. It groups endpoints by their current OS product name and returns the count for each version.

CrowdStrike

Evaluate Operating System Prevalence

This query counts how many Windows endpoints are running each OS version (like Windows 10, Windows 11, etc.) in your CrowdStrike environment. It groups endpoints by their current OS product name and returns the count for each version.

CrowdStrike

Exploitable Critical Vulnerabilities

Shows Critical CVEs that are considered exploitable (based on ExploitStatusEnum > 30). Results are aggregated by CVE and exploitability state, including the number of affected hosts.

TA0001
CrowdStrike

Exploitable Critical Vulnerabilities

Shows Critical CVEs that are considered exploitable (based on ExploitStatusEnum > 30). Results are aggregated by CVE and exploitability state, including the number of affected hosts.

TA0001
CrowdStrike

External Connectons with Process

CrowdStrike

External Connectons with Process

CrowdStrike

Failed and Successful User Logon Events

This query correlates successful and failed logon attempts per user account to identify potential compromise patterns, focusing on accounts with 4+ failed logons. It provides a comprehensive view of each user's authentication activity including password age and last successful access.

CrowdStrike

Failed and Successful User Logon Events

This query correlates successful and failed logon attempts per user account to identify potential compromise patterns, focusing on accounts with 4+ failed logons. It provides a comprehensive view of each user's authentication activity including password age and last successful access.

CrowdStrike

Failed logon attempt group by userName and unique Endpoint involved

CrowdStrike

Failed logon attempt group by userName and unique Endpoint involved

CrowdStrike
PreviousPage 5 of 13Next